The aftermath of Schrems II: Increased need for adequacy assessments of the legal systems of non-EU countries to ensure data transfer compliance with the GDPR
November 2020 – On 16 July 2020, the Court of Justice of the EU (“CJEU”) issued a landmark judgment in the case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II Decision”).
Although probably the most important consequence of the Schrems II Decision is striking down of the Privacy Shield mechanism and forcing organisations that wish to transfer personal data to the United States to turn to alternative mechanisms, data transfers to any third country outside the EU are significantly impacted as well.
In this respect, when transfers of data are based on the standard contractual clauses (“SCC”), the Schrems II Decision explicitly requires that both the EU-based data exporter and the non-EU based data importer “verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned.”
Kinstellar’s Belgrade office was the first on the firm-wide level to be approached by a client with the task to prepare an assessment of the adequacy of the protection granted by Serbian law in relation to transfers of personal data from an EU-based data exporter to a Serbian-based data importer. Given the novelty of the situation and the fact that there were no predetermined criteria that the assessment was supposed to follow, we based our analysis on the findings set out in the Schrems II Decision.
In order to establish whether the level of protection existing under Serbian law is essentially equivalent to that guaranteed within the EU, we first focused on establishing the consistency of various areas of Serbian law with the fundamental principles envisaged in the Charter of Fundamental Rights of the EU that were particularly highlighted by the CJEU as the most relevant ones (such as right to respect for private and family life, the right to protection of personal data, the right to an effective remedy and to a fair trial as well as the principle governing the scope of guaranteed rights).
We then analysed the question of whether Serbian law unduly restricts a data importer from complying with its obligations under the SCC.
Finally, the third and most difficult part of the analysis was our review of public laws, as we were required to determine the extent to which Serbian public authorities can access the personal data transferred to the data importer and the limits on that access. In this respect, apart from providing the overview of the relevant Serbian framework, our goal was also to determine whether Serbian law contained any problematic characteristics present in the US law that could ultimately lead to the invalidation of the Privacy Shield. We, inter alia, considered whether Serbian public authorities are allowed to collect personal data “in bulk”, whether there are defined limits on requests for access to data by Serbian public authorities, whether there is judicial scrutiny over such requests to access and whether data subjects are entitled to seek redress against Serbian public authorities in a Serbian court.
For more information please contact Dragana Bajić, Managing Associate, at , and Jelena Tripkovic, Associate, at .